Re: What pain points exist in the current security-tracker structure?
Hi,
On 06/04/2025 09:25, Roberto C. Sánchez wrote:
As you go about tasks which require interacting with the security
tracker, what pain points exist for you?
One pain point that happened again today is the confusing terminology.
In particular:
- "no-dsa": every body gets confused by this: users, maintainers, LTS
contributors.
It's generally understood as "won't fix", while it can be fixed through
other means than DSA (typically PU).
In general, let's not name something using a negative.
Let's keep in mind that even among DDs/DMs the different security
workflows aren't clear (DSA, PU), they usually only upload to unstable.
It gets even more confusing when the CVE eventually moves to LTS.
The fact that it has "sub-states" with postponed & ignored is unique in
the tracker and brings further confusion.
"deferred" (as is: deferred from Debian Security Team to the rest of
Debian: maintainers, release team, LTS team, etc.) may be better, though
still unclear to a common Debian user.
Dropping "no-dsa" and only using "postponed" and "ignored" would be
another proposal.
- "Minor issue": again this is centric to the Security Team, this
confused upstream e.g. Samba:
https://lists.debian.org/debian-security/2021/05/msg00011.html
It's rarely mentioned why an issue is Minor and this can be puzzling (I
try to add a few words of context myself).
"Minor issue" covers a wide range of issues, usually anything that isn't
critical and/or remote, but is explicitly outside of any rating system
(CVSS, etc.) as it's should be appreciated in the context of Debian only.
"Minor issue" is very much tied to the no-dsa(postponed,ignored) group
of states, and is somewhat redundant.
"Can be fixed in point release" mostly conveys the same meaning and
would avoid thinking about "Minor" vs. Medium/High/Critical.
So overall coming up with a clearer terminology, tested with random
users and Debian contributors to ensure good "UX", would be good and
save time IMHO.
Cheers!
Sylvain
Reply to: